virtumonde help

Hello,
This is my first post. Ugh! :-[ Can someone walk me through the steps on how to get rid of and repair any damage done by a virus I have? Avast indetifies it as being in the virtumonde family. I may have damaged my system a bit by monkeying around… I deleted files from my “Temp” files, used CCleaner, and hit “delete” in stead of “move to chest” many times on later to read that this is not recommended. I researched a little about virtumonde and havew seen that often a forum member who is an expert asks for some kind of file from “HiJackThis” to look at before they recommend a set of actions. I don’t know what “HiJackThis” is. Would anyone be willing to walk a poor sap like me through fixing this problem? I would be very much appreciated. Thanks! Sig.

Hi Sig,

First make sure you have tried a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested.

Then run scans with:

SUPERAntiSpyware Free
Malwarebytes’ Anti-Malware

Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.

Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

Finally, run a scan with this specialist removal tool:

VundoFix

If still having problems, post a HijackThis! log.

Good luck!

Hi Sig,

  1. Delete the Autorun.inf file of your C: drive, for it :
    Open the command prompt, and type :
    cd
    attrib -s -h -r autorun.in

  2. Download and run firefox to protect your from future spyware attacks and pop ups which are coming in through internet explorer (Trojan downloaders, win32 ) .Then update your windows through firefox.

Browser attacks aren’t easy to spot because they piggyback on legitimate traffic that doesn’t exhibit many obvious warning signs
3. Run VundoFix and ComboFix: http://securitynewsfromthenet.blogspot.com/2007/05/vundofix-and-combo-fix.html
4. Run Malwarebytes Anti-Malware from: http://securitynewsfromthenet.blogspot.com/2008/03/malwarebytes-anti-malware-105.html
5. Run SuperAntiSpyware against the nasties: http://securitynewsfromthenet.blogspot.com/2007/04/superantispyware-home-edition-free.html
6. Run a complete scan with free curing utility Dr.Web CureIt!
http://www.freedrweb.com/

polonus

Hello FreeweelinFrank and Polonus,

I just wanted to say thank you for your replies and your help with my virtumonde problem! Problem solved! I first went through FreewheelinFranks steps and was amazed with the success. Because the virus seemed so bad and unremoveable (I had tried many anti spyware and anit adware programs) that I was skeptical that these would work. One of the trogans had taken over my desk top back ground and removed any options to change it. Also, if I let me computer sit idle for 10 minutes, one of the trogans made it look like my computer was restarting over and over, but really, if I just hit esc it would bring my screen back. Crazy stuff. However, just by running a boot time avast scan, superantispyware and malwarebyte’s anti-malware programs I got my machine back. Man, malwarebyte’s anti-malware program was the one that really scrubbed my machine clean. Good stuff! I had already used the vundofix and yeah, it had one 1 infection, but didn’t do the trick like malwarebyte’s program.

Thanks again guys, you really helped me out. I wanted to let you know.

I’ll try to be more careful in the future… :slight_smile:

Sig

:slight_smile:

Scan for out-of-date and insecure software using Secunia Software Inspector and update any vulnerable software: this will help to prevent future infections.

Help please! Symantec Free Virus Scan says I have Vundo.B. Avast and AVG don’t see it. (computer running VERY sluggish). When I try to download VundoFix as you and many other help sites recommend, Avast alerts that IT has brought in a trojan and also that the trojan has appeared in Temp Internet Files. So I delete both and don’t dare download the fix! Tried 2 different download site - Avast hits me with trojan alert from both. What should I do? Thanks!

Three AV’s at the same time is a bad, bad idea.

Uninstall AVG, avast! and symantec, rebooting when requested. Run the Symantec removal tool:

http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

Reinstall avast! and allow the boot time scan option.

The detection of VundoFix is a false positive: you’ll need to disable avast! while running the program.

Thank you!!! Did what you said and boot time scan showed no Vundo BUT showed Win32:Prosti-BT trojan in 2 files, which didn’t show on last night’s scan, and which I dealt with. The Symantec was the streaming virus scan so no uninstall needed and the AVG was just laziness as it came with XP. Just have avast on now and fingers crossed. (I also run AdAware and SpyBot regularly, so I’m not THAT lazy :slight_smile:

(I also run AdAware and SpyBot regularly, so I'm not THAT lazy :-)
I find that Ad-Aware and Spybot S&D only find tracking cookies once infections are removed.

A much better way to do things is to not let infections onto your system in the first place with SpywareBlaster, Windows Defender and WinPatrol:
http://www.javacoolsoftware.com/sbdownload.html
http://www.microsoft.com/windows/products/winfamily/defender/default.mspx
http://www.winpatrol.com

Keep the definitions updated at least daily.

Will try to find time to get to that :frowning:
Thanks for the advice!

micro
congrats
let me get a couple of things straight
you were running the symantec on line scan and have NEVER had Symantec/norton installed - right?
only AVG previously- right? and its removed not just disabled

Did you try the MBAM and SAS scans mentioned in the post above?
follow Freewheeling franks instructions
post logs if they find anything and quarantine do not delete/remove hits
both or either will be more useful than ad-aware
if you do not have time now do it later but in that case run the Malwarebytes Rogue Remover tool as a double check
let’s cross our fingers that you are clean
if not post the logs